Parsons v. Kimpton Hotel & Restaurant Group, LLC

Filing 44

ORDER by Judge Chhabria granting in part and denying in part #36 Motion to Dismiss. (vclc1S, COURT STAFF) (Filed on 4/13/2017)

Download PDF
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA LEE WALTERS, Case No. 16-cv-05387-VC Plaintiff, v. KIMPTON HOTEL & RESTAURANT GROUP, LLC, ORDER GRANTING IN PART AND DENYING IN PART THE MOTION TO DISMISS Re: Dkt. No. 36 Defendant. The motion to dismiss is granted in part and denied in part. 1. Kimpton's motion to dismiss the complaint for lack of standing is denied. As an initial matter, the Court agrees with Kimpton that the allegations about Walters's December 28, 2015 hotel stay do not support standing. This stay occurred several months prior to the date the malware attack allegedly began, and Walters offers no allegations to show how the breach could have placed at risk the data associated with the payment card that Walters used during that stay. The May 29th visit, on the other hand, fell during the alleged "at-risk" window. Walters alleged that, from February 16, 2016 until July 7, 2016, hackers used malware to access Kimpton computer systems and steal copies of customer data. It is plausible to infer from the complaint that Walters's information was among the payment card information stolen. The theft of Walters's payment card data and the time and effort he has expended to monitor his credit are sufficient to demonstrate injury for standing purposes. See Lewert v. P.F. Chang's China Bistro, 819 F.3d 963, 965, 967-68 (7th Cir. 2016). Unlike the plaintiffs in Clapper v. Amnesty Int'l USA, whose fears that the Government would monitor and intercept their communications were insufficient to demonstrate "certainly impending" injury, Walters plausibly alleged that his data has already been stolen and that it was taken in a manner that suggests it will be misused. 133 S. Ct. 1138, 1151 (2013); see Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App'x 384, 388 (6th Cir. 2016) ("There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals."). Kimpton points to several district court cases holding that the theft of payment card data, coupled with evidence of a single or just a few unauthorized charges, is insufficient to confer standing. See Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-cv-00014, 2016 WL 6523428, at *5 (S.D. Cal. Nov. 3, 2016); Torres v. Wendy's Co., 195 F. Supp. 3d 1278, 1284-85 (M.D. Fla. 2016); In re SuperValu, Inc., No. 14-md-02586, 2016 WL 81792, at *5 (D. Minn. Jan. 7, 2016). The Court respectfully disagrees that a plaintiff must actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes. See Lewert, 819 F.3d at 967-68 (concluding that time and effort spent monitoring card statements and financial accounts were sufficient to confer standing to Lewert even though he had not yet experienced unauthorized charges); see also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1215 (N.D. Cal. 2014) ("[T]o require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be 'literally certain' in order to constitute injury-in-fact."). 2. The motion to dismiss the implied contract claim is denied. Walters plausibly alleged the existence of an implied contract arising from Kimpton's privacy policy, which states that Kimpton is "committed" to safeguarding customer privacy and personal information.1 To the extent this commitment creates an enforceable promise, the promise is a voluntary duty not imposed by law and constitutes valid consideration. See Janda v. Madera Cmty. Hosp., 16 F. Supp. 2d 1181, 1188 (E.D. Cal. 1998). Walters sufficiently alleged 1 Although Walters does not discuss the privacy policy under the "Breach of Implied Contract" heading, the discussion of the privacy policy elsewhere in the complaint is adequate to put Kimpton on notice of the basis for Walters's claim. 2 "actual damages" flowing from the alleged breach, including having to "secure and maintain" credit monitoring services (which presumably come at a cost) and other "out-of-pocket expenses and the value of . . . time reasonably incurred to remedy or mitigate" the breach. See In re Anthem, Inc. Data Breach Litig., No. 15-md-02617, 2016 WL 3029783, at *16 (N.D. Cal. May 27, 2016); see also Lewert, 819 F.3d at 967-68. 3. The motion to dismiss the negligence claim is denied. For the reasons discussed above, Walters has alleged actual damages. With respect to Kimpton's argument that the economic loss rule bars this claim, the Court lacks sufficient information to rule on this claim at the motion to dismiss stage. 4. The motion to dismiss the UCL claims is denied in part and granted in part. For the reasons stated above, Walters has alleged economic injury resulting from the breach. Accordingly, the motion to dismiss the UCL claims for unfair and unlawful business practices is denied. However, Walters fails to plead that he actually relied on Kimpton's alleged misrepresentations, as he was required to do to state a UCL claim based on fraud. See Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 326 & n.9 (2011). The fraud claim will be dismissed with prejudice because Kimpton put Walters on notice of this defect in its first motion to dismiss, and, when given the opportunity to amend his complaint rather than respond to the motion, Walters failed to correct the defect. IT IS SO ORDERED. Dated: April 13, 2017 ______________________________________ VINCE CHHABRIA United States District Judge 3

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?